Help us understand the problem. What is going on with this article?

EdgeRouter と VyOS 1.2.2 で gre-bridge

概要

備忘録。
IPSec Site-to-Site で EdgeRouter-X(ER-X) と VyOS を接続し、
その上で gre-bridge で L2 Tunnel を作成します。

gre-bridge の理由

ER-X同士で MPLS を使いたい時に、どうしても VyOS を挟まないといけない場合の苦肉の策。
MPLS の設定で LDP を使うとき、マルチキャストで neighbor を探しに行きますが、
VyOS は MPLS に対応していないしマルチキャストルーティングもできないしで困った困った。
それじゃ L2 で通せばいいのでは?ということで gre-bridge を利用することに。

ネットワーク図

構成図

Network Diagram.png

論理図

Untitled.png

設定手順

VyOS と ER-X に IPSec、 Bridge、Tunnel の設定を行います。

VyOS 設定

IPアドレス:br0     192.168.0.1/24
      lo      10.255.0.1/32
      Global IP   XXX.XXX.XXX.XXX

VyOS設定
# IPSec 設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer 0.0.0.0 connection-type 'initiate'
set vpn ipsec site-to-site peer 0.0.0.0 ike-group 'IKE'
set vpn ipsec site-to-site peer 0.0.0.0 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 0.0.0.0 local-address 'any'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix '10.255.0.2/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 remote prefix '10.255.0.3/32'


# Bridge 設定
set interfaces bridge br0 address '192.168.0.1/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'

# Loopback 設定
set interfaces loopback lo address '10.255.0.1/32'

# Tunnel 設定
set interfaces tunnel tun1 encapsulation 'gre-bridge'
set interfaces tunnel tun1 local-ip '10.255.0.1'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun1 remote-ip '10.255.0.2'

set interfaces tunnel tun2 encapsulation 'gre-bridge'
set interfaces tunnel tun2 local-ip '10.255.0.1'
set interfaces tunnel tun2 multicast 'enable'
set interfaces tunnel tun2 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun2 remote-ip '10.255.0.3'


ER-X1 設定

前提:インターネットに接続可能であり、その設定がされていること。
   インターネットと通信しているインターフェースは pppoe。
   VyOS に対して疎通が取れること。

IPアドレス:br0 192.168.0.2/24
      lo  10.255.0.2/32

ER-X1設定
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 local prefix 10.255.0.2/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 remote prefix 10.255.0.1/32


# Bridge 設定
set interfaces bridge br0 address '192.168.0.2/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'


# Loopback 設定
set interfaces loopback lo address '10.255.0.2/32'


# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'



ER-X2 設定

前提:インターネットに接続可能であり、その設定がされていること。
   インターネットと通信しているインターフェースは pppoe。
   VyOS に対して疎通が取れること。

IPアドレス:br0 192.168.0.3/24
      lo  10.255.0.3/32

ER-X2設定

# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'

set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 local prefix 10.255.0.3/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 remote prefix 10.255.0.1/32


# Bridge 設定
set interfaces bridge br0 address '192.168.0.3/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'


# Loopback 設定
set interfaces loopback lo address '10.255.0.3/32'


# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.3'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'

確認

・ER-X1 で VyOS の br0 に traceroute を実行し、1ホップで到達する
・ER-X1 で ER-X2 の br0 に traceroute を実行し、1ホップで到達する

以上です。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away